Dump password from exe(2)

Blue Team | Red Team | Reverse Engineering By Kelvin Yip November 26, 2020 April 1, 2024

This article is actually part two of “Extract/Dump password from exe” series. In part one , we focused on unpacking executable generated by script converter such as PyInstaller, Py2exe and AutoIt. In short, we will focus on executable compiled by Visual Studio and Delphi in this article. Basically, we will try to understand what information is available in the executable file via strings.exe . Although more and more developers are moving to Visual Studio today, but we still saw some applications and malware written by Delphi. Therefore, we will also cover Delphi in our discussion.

Why is it important?

If you are red team player, this article gives you an expectation what information (e.g. credential) is available in the executable file. In addition, traditional anti-virus relies on recognize the signature (keyword). If we have better understand of the relationship between source code and compiled executable, this certainly enhance the ability to evade the defense technology.

On the other hand, if you are blue team player, you may review with the developer before the credential information leak to wrong hand. Moreover, when performing initial malware analysis, you may also have correct expectation to evaluate the executable file.

Lab environment

In order to facilitate our discussion, some simple client applications directly connecting to database were designed. In general, the database connection between client application and databases requires a “connection string”. This connection string includes information such as IP address of database server and even user name and password. If “Integrated Security” is used for database connection, then the user name and password information is not available inside the executable file.

In our experiment, all programs written in Delphi (XE 2 and XE 10) were designed specifically connect to MySQL database. On the other hand, applications written in VB .Net, C#, C++ (Visual Studio 2013, 2017 and 2019) were designed to use MSSQL database. Below list the connection string information used by both MySQL and MSSQL database in our source code.

Server hostname	localhost
Database Name	mytestdb
User Name	mytestuser1
Password	AAAAABB_2

Database connection information used specifically in our lab

Source code used in lab

Firstly, we will give you a high-level overview of ALL source code used in our this experiment:

A database connection component with connection string defined, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
A data source binding component which connecting the database connection component and data grid component, which is implemented either via “drag-and-drop” using IDE or runtime source code.
A data grid component responsible to display information in database, and it is implemented either via “drag-and-drop” using IDE or runtime source code.
A remark contains the string RemarkAAAAA was explicitly defined for our test cases. Later, we will see if remark is available after compiled the program.
Multiple private and public variables and values with suffix AAAAA also defined.

All the source code using in our testing are also available download via our github repository here . We are not going to discuss every source code used in this testing because we do not want to make it a programming article. Therefore, instead of discuss the source code of each language, we will only discuss one example. Below is code snippet of VB .Net:

Public Class Form1
    Dim MyClassVarAAA As String ' This variable name will be available via strings.exe
    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load        
        ' RemarkAAAAA                    Me.Tbl_personTableAdapter.Fill(Me.MytestdbDataSet.tbl_person)
        Dim MyFunctionVarAAAAA As String
        MyClassVarAAAAA = "MyClassValueAAAAA"
        MyFunctionVarAAAAA = "MyFunctionValueAAAAA"
        MsgBox("Static_MsgBox_MessageAAAAA")
        MsgBox(MyClassVarAAAAA)
        MsgBox(MyFunctionVarAAAAA)
    End Sub
End Class

As shown above example, we have defined multiple variable and values using the keyword “AAAAA”. Later on, we will grep the keyword “AAAAA” and see what is included inside the executable file.

Detect it Easy

Before we move on to grep the keyword, let’s explore each executable file using amazing tool detect it easy .

Delphi XE2 Win64 DIE — 1) Delphi XE 2 (x64) compiled executable

Delphi XE2 Win32 DIE — 2) Delphi XE 2 (x86) compiled executable

Delphi XE10 Win64 DIE — 3) Delphi XE 10 Seattle (x64)

Delphi XE10 Win32 DIE — 4) Delphi XE 10 Seattle (x86)

VS2013 VB x64 DIE — 5) VB .NET 2013 (x64) + .NET Framework 4.5

VS2013 VB x86 DIE — 6) VB .NET 2013 (x86) + .NET Framework 4.5

VS2013 VC++ x64 DIE — 7) Visual C++ 2013 (x64) + .NET Framework 4.5

VS2013 VC++ x86 DIE — 8) Visual C++ 2013 (x86) + .NET Framework 4.5

VS2017_VB_x64_DIE — 11) VB .NET 2017 (x64) + .NET Framework 4.6.1

VS2017 VB x86 DIE — 12) VB .NET 2017 (x86) + .NET Framework 4.6.1

VS2017 VC++ x64 DIE — 13) Visual C++ 2017 (x64) + .NET Framework 4.6.1

VS2017 VC++ x86 DIE — 14) Visual C++ 2017 (x86) + .NET Framework 4.6.1

VS2019 VB x64 DIE — 17) VB .NET 2019 (x64) + .NET Framework 4.7.2

VS2019 VB x86 DIE — 18) VB .NET 2019 (x86) + .NET Framework 4.7.2

VS2019 VC++ x64 DIE — 19) Visual C++ 2019 (x64) + .NET Framework 4.7.2

VS2019 VC++ x86 DIE — 20) Visual C++ 2019 (x86) + .NET Framework 4.7.2

As you may also aware, there are not much fruitful information from Detect it Easy at this stage. However, I prefer to use it as the first step to understand and evaluate the executable file.

Dump password from exe via strings.exe

So, we will move on to explore what information are available inside the executable file via the strings.exe. As I have said, we will try to grep the keyword “AAAAA” using findstr command.

Delphi

Delphi XE2 unidac MySQL x64 strings — 3) Delphi XE2 x64 +MySQL connection via unidac component

Delphi XE2 unidac MySQL x86 strings — 4) Delphi XE2 x86 +MySQL connection via unidac component

Delphi XE2 zeoslib MySQL x64 strings — 5) Delphi XE2 x64 +MySQL connection via zeoslib component

Delphi XE2 zeoslib MySQL x86 strings — 6) Delphi XE2 x86 +MySQL connection via zeoslib component

Delphi XE10 CDS MySQL x64 strings — 7) Delphi XE10 x64 +MySQL connection via CDS component

Delphi XE10 CDS MySQL x86 strings — 8) Delphi XE10 x86 +MySQL connection via CDS component

Delphi XE10 unidac MySQL x64 strings — 9) Delphi XE10 x64 +MySQL connection via unidac component

Delphi XE10Delphi XE10 unidac MySQL x86 strings — 10) Delphi XE10 x86 +MySQL connection via unidac component

Delphi XE10 zeoslib MySQL x64 strings — 11) Delphi XE10 x64 +MySQL connection via zeoslib component

Delphi XE10 zeoslib MySQL x86 strings — 12) Delphi XE10 x86 +MySQL connection via zeoslib component

Delphi XE10 firedac MySQL x64 strings — 13) Delphi XE10 x64 +MySQL connection via firedac component

Delphi XE10 firedac MySQL x86 strings — 14) Delphi XE10 x86 +MySQL connection via firedac component

Delphi XE10 firemonkey firedac MySQL x64 strings — 15) Delphi XE10 x64 FireMonkey GUI+MySQL connection via firedac component

Delphi XE10 firemonkey firedac MySQL x86 strings — 16) Delphi XE10 x86 FireMonkey GUI+MySQL connection via firedac component

Visual Studio 2013

VS2013 VB MSSQL x64 strings — 1) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation

VS2013 VB MSSQL x86 strings — 2) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via datagrid datasource creation

VS2013 VB MSSQL ConnectionString by appconf x64 strings — 3) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via App.config

VS2013 VB MSSQL ConnectionString by App.config x86 strings — 4) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via App.config

VS2013 VB MSSQL ConnectionString by Code x64 strings — 5) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 1

VS2013 VB MSSQL ConnectionString by Code x86 strings — 6) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 1

VS2013 VB MSSQL ConnectionString by code Method 2 x64 strings — 7) VB .NET 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 2

VS2013 VB MSSQL ConnectionString by Code Method 2 x86 strings — 8) VB .NET 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource method 2

VS2013 VC++ MSSQL x64 strings — 9) Visual C++ 2013 x64 + .NET Framework 4.5 + MSSQL connection via code to define datasource

VS2013 VC++ MSSQL x86 strings — 10) Visual C++ 2013 x86 + .NET Framework 4.5 + MSSQL connection via code to define datasource

Visual Studio 2017

VS2017 VB MSSQL x64 strings — 13) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation

VS2017 VB MSSQL x86 strings — 14) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via datagrid datasource creation

VS2017 VB MSSQL ConnectionString by App.config x64 strings — 15) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via App.config

VS2017 VB MSSQL ConnectionString by App.config x86 strings — 16) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via App.config

VS2017 VB MSSQL ConnectionString by code x64 strings — 17) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 1

VS2017 VB MSSQL ConnectionString by code x86 strings — 18) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 1

VS2017 VB MSSQL ConnectionString by code method 2 x64 strings — 19) VB .NET 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 2

VS2017 VB MSSQL ConnectionString by code Method 2 x86 strings — 20) VB .NET 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource method 2

VS2017 VC++ MSSQL x64_strings — 21) Visual C++ 2017 x64 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource

VS2017 VC++ MSSQL x86 strings — 22) Visual C++ 2017 x86 + .NET Framework 4.6.1 + MSSQL connection via code to define datasource

Visual Studio 2019

VS2019 VB MSSQL x64 strings — 25) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation

VS2019 VB MSSQL x86 strings — 26) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation

VS2019 VB MSSQL ConnectionString by App.config x64 strings — 27) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via App.config

VS2019 VB MSSQL ConnectionString by App.config x86 strings — 28) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via App.config

VS2019 VB MSSQL ConnectionString by code x64 strings — 29) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 1

VS2019 VB MSSQL ConnectionString by code x86 strings — 30) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 1

VS2019 VB MSSQL ConnectionString by code method 2 x64 strings — 31) VB .NET 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 2

VS2019 VB MSSQL ConnectionString by code method 2 x86 strings — 32) VB .NET 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource method 2

VS2019 VC++ MSSQL x64 strings — 33) Visual C++ 2019 x64 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource

VS2019 VC++ MSSQL x86 strings — 34) Visual C++ 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via code to define datasource

VS2019 VCSharp MSSQL x86 strings — 36) C# 2019 x86 + .NET Framework 4.7.2 + MSSQL connection via datagrid datasource creation

Summary

As shown above, we can see some key observation from our experiment.

Firstly, remarks inside the source code is always not available
Secondly, many of the results show “Password=AAAAABB_2”. If we try to grep keyword such as Password from the executable file, then credential information may be available.
Thirdly, all the results show the password “AAAAABB_2”. Even though some of them do not contains the keyword “Password=” in a single line, it is still possible to build a dictionary for brute force attack.
Fourthly, name of variable and value of variable may also available. It is also important to notice that traditional Anti-Virus relies on keyword inside the malware executable file. These keywords may also include variable name, values or debug messages. In fact, we have evade those traditional Anti-Virus many times by removing those keywords from the source code and re-compiled the executable file again.

To conclude, do not assume an executable file can help to keep your secrets, and attacker may be able to dump password from exe file. For instance, I saw some organization reasonably protect scripts containing credential, but wrongly left executable file with embedded credential unprotected. Moreover, executable packer such as upx can hide those credential information but the information still can be extracted. We will further explore Anti-Debugging techniques to protect an executable in the future.

Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.

A long time ago, I discovered I can bypass VPN restriction using WSL. Certainly, it give me some kind of convenience during my work.
Have you ever do the similar thing ? For instance, you figure out how to workaround the security control to complete your sysadmin duty.

Swimlane CXO Round Table Event – 12 Jul 2023

By CyberSecThreat Editor Team June 1, 2023 May 6, 2024

We are excited to announce a groundbreaking event that brings together the brightest minds in the cybersecurity industry. CyberSecThreat, a leading Cyber Security Company in Taiwan, in collaboration with Swimlane, a renowned Low-Code Security Automation & SOAR Platform, invites you to our exclusive round table event on Jul 12th, 2023. Themed around “Hyperautomation feat Zero…

In today’s digital world, organizations are generating massive amounts of log data that contain valuable insights into their systems, applications, and networks. Splunk is a popular platform that helps organizations analyze and visualize this log data to gain insights and improve their operations. Today we are going to discuss ingesting syslog from FireEye HX Cloud…

Today we are going to discuss the relationship between Account Lockout Policy, badPwdCount, badPasswordTime, Event ID 4625 and Event ID 4740 in Windows domain environment. In fact, this is one of most important topics when we engage in designing SIEM solutions. Account Lockout Policy First of all, we start with the Account Lockout Policy in…

Detect hidden inbox forward rule in On-Premise Exchange

By Kelvin Yip July 8, 2020 April 1, 2024

In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.

發佈留言取消回覆

Your email address will not be published. Required fields are marked *

<label class="float-label" for="comment">Comment <span class="required">*</span></label></p><div class="comment-input-wrap no-url-field"><p class="comment-form-author"><input aria-label="Name" id="author" name="author" type="text" placeholder="John Doe" value="" size="30" maxlength="245" aria-required="true" required="required"/><label class="float-label" for="author">Name <span class="required">*</span></label></p> <p class="comment-form-email"><input aria-label="Email" id="email" name="email" type="email" placeholder="john@example.com" value="" size="30" maxlength="100" aria-describedby="email-notes" aria-required="true" required="required"/><label class="float-label" for="email">Email <span class="required">*</span></label></p> <section id="nav_menu-14" class="widget widget_nav_menu"><h2 class="widget-title">Services</h2><div class="menu-our-services-container"><ul id="menu-our-services" class="menu"><li id="menu-item-19650" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19650"><a href="https://cybersecthreat.com/free-degaussing-magnetic-only-hard-disk-drive-program/">Free Degaussing & Data Destruction of Magnetic-Only Hard Disk Drive Program</a></li> <li id="menu-item-19651" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19651"><a href="https://cybersecthreat.com/nextgen-it-asset-disposition-itad/">NextGen IT Asset Disposition (ITAD)</a></li> <li id="menu-item-19652" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19652"><a href="https://cybersecthreat.com/data-destruction-service/">Data Destruction Service – APJ</a></li> <li id="menu-item-19653" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19653"><a href="https://cybersecthreat.com/data-disposal-service/">Data Disposal Service – Taiwan</a></li> <li id="menu-item-19654" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19654"><a href="https://cybersecthreat.com/vciso/">vCISO (Virtual CISO) Services</a></li> <li id="menu-item-19655" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-19655"><a href="https://cybersecthreat.com/data-recovery/">Data Recovery</a></li> <li id="menu-item-11646" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-11646"><a href="https://cybersecthreat.com/free-degaussing-magnetic-only-hard-disk-drive-program/">Free Degaussing & Data Destruction of Magnetic-Only Hard Disk Drive Program</a></li> <li id="menu-item-18040" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-18040"><a href="https://cybersecthreat.com/nextgen-it-asset-disposition-itad/">NextGen IT Asset Disposition (ITAD)</a></li> <li id="menu-item-11534" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-11534"><a href="https://cybersecthreat.com/data-destruction-service/">Data Destruction Service – APJ</a></li> <li id="menu-item-7385" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7385"><a href="https://cybersecthreat.com/data-disposal-service/">Data Disposal Service – Taiwan</a></li> <li id="menu-item-5143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-5143"><a href="https://cybersecthreat.com/vciso/">vCISO (Virtual CISO) Services</a></li> <li id="menu-item-4668" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-4668"><a href="https://cybersecthreat.com/data-recovery/">Data Recovery</a></li> <li id="menu-item-1326" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-has-children menu-item-1326"><div class="drawer-nav-drop-wrap"><a href="https://cybersecthreat.com/product-category/products/">Products</a><button class="drawer-sub-toggle" data-toggle-duration="10" data-toggle-target="#mobile-menu .menu-item-1326 > .sub-menu" aria-expanded="false"><span class="screen-reader-text">Toggle child menu</span><span class="kadence-svg-iconset"><svg aria-hidden="true" class="kadence-svg-icon kadence-arrow-down-svg" fill="currentColor" version="1.1" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24"><title>Expand</title><path d="M5.293 9.707l6 6c0.391 0.391 1.024 0.391 1.414 0l6-6c0.391-0.391 0.391-1.024 0-1.414s-1.024-0.391-1.414 0l-5.293 5.293-5.293-5.293c-0.391-0.391-1.024-0.391-1.414 0s-0.391 1.024 0 1.414z"/> <li id="menu-item-9892" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-has-children menu-item-9892"><div class="drawer-nav-drop-wrap"><a href="https://cybersecthreat.com/product-category/products/cybersecurity/">CyberSecurity</a><button class="drawer-sub-toggle" data-toggle-duration="10" data-toggle-target="#mobile-menu .menu-item-9892 > .sub-menu" aria-expanded="false"><span class="screen-reader-text">Toggle child menu</span><span class="kadence-svg-iconset"><svg aria-hidden="true" class="kadence-svg-icon kadence-arrow-down-svg" fill="currentColor" version="1.1" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24"><title>Expand</title><path d="M5.293 9.707l6 6c0.391 0.391 1.024 0.391 1.414 0l6-6c0.391-0.391 0.391-1.024 0-1.414s-1.024-0.391-1.414 0l-5.293 5.293-5.293-5.293c-0.391-0.391-1.024-0.391-1.414 0s-0.391 1.024 0 1.414z"/> <li id="menu-item-9900" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-9900"><a href="https://cybersecthreat.com/product-category/products/cybersecurity/cyber-threat-intelligence/">Cyber Threat Intelligence</a></li> <li id="menu-item-20187" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-20187"><a href="https://cybersecthreat.com/product-category/products/cybersecthreat/security-awareness-training/">Security Awareness Training</a></li> <li id="menu-item-20188" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-20188"><a href="https://cybersecthreat.com/product-category/products/cybersecurity/visionary-defense/">Visionary Defense</a></li> <li id="menu-item-1374" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-has-children menu-item-1374"><div class="drawer-nav-drop-wrap"><a href="https://cybersecthreat.com/product-category/products/dataexpert/data-disposal/">DATA DISPOSAL</a><button class="drawer-sub-toggle" data-toggle-duration="10" data-toggle-target="#mobile-menu .menu-item-1374 > .sub-menu" aria-expanded="false"><span class="screen-reader-text">Toggle child menu</span><span class="kadence-svg-iconset"><svg aria-hidden="true" class="kadence-svg-icon kadence-arrow-down-svg" fill="currentColor" version="1.1" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24"><title>Expand</title><path d="M5.293 9.707l6 6c0.391 0.391 1.024 0.391 1.414 0l6-6c0.391-0.391 0.391-1.024 0-1.414s-1.024-0.391-1.414 0l-5.293 5.293-5.293-5.293c-0.391-0.391-1.024-0.391-1.414 0s-0.391 1.024 0 1.414z"/> <li id="menu-item-1377" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-1377"><a href="https://cybersecthreat.com/product-category/products/dataexpert/data-disposal/media-shredder-destroyer/">Media Shredder/Destroyer</a></li> <li id="menu-item-20191" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-20191"><a href="https://cybersecthreat.com/product-category/products/cybersecthreat/it-asset-disposition-itad/degauss-verification/">Degauss Verification</a></li> <li id="menu-item-20192" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-20192"><a href="https://cybersecthreat.com/product-category/products/dataexpert/data-disposal/degaussers/">Degaussers</a></li> <li id="menu-item-20193" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-20193"><a href="https://cybersecthreat.com/product-category/products/dataexpert/data-disposal/duplicator-and-wiper/">Duplicator & Wiper</a></li> <li id="menu-item-1358" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-has-children menu-item-1358"><div class="drawer-nav-drop-wrap"><a href="https://cybersecthreat.com/product-category/products/dataexpert/digital-forensic/">DIGITAL FORENSIC</a><button class="drawer-sub-toggle" data-toggle-duration="10" data-toggle-target="#mobile-menu .menu-item-1358 > .sub-menu" aria-expanded="false"><span class="screen-reader-text">Toggle child menu</span><span class="kadence-svg-iconset"><svg aria-hidden="true" class="kadence-svg-icon kadence-arrow-down-svg" fill="currentColor" version="1.1" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24"><title>Expand</title><path d="M5.293 9.707l6 6c0.391 0.391 1.024 0.391 1.414 0l6-6c0.391-0.391 0.391-1.024 0-1.414s-1.024-0.391-1.414 0l-5.293 5.293-5.293-5.293c-0.391-0.391-1.024-0.391-1.414 0s-0.391 1.024 0 1.414z"/> <li id="menu-item-1359" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-1359"><a href="https://cybersecthreat.com/product-category/products/dataexpert/digital-forensic/computer-forensics/">Computer Forensics</a></li> <li id="menu-item-1360" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-1360"><a href="https://cybersecthreat.com/product-category/products/dataexpert/digital-forensic/mobile-forensics/">Mobile Forensics</a></li> <li id="menu-item-2850" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-2850"><a href="https://cybersecthreat.com/product-category/products/dataexpert/digital-forensic/cyber-security/">Cyber Security</a></li> <li id="menu-item-9903" class="menu-item menu-item-type-taxonomy menu-item-object-product_cat menu-item-9903"><a href="https://cybersecthreat.com/product-category/products/dataexpert/digital-forensic/public-security-intelligence-solutions/">Public Security & Intelligence Solutions</a></li>